X

Google accounts hit with malware -- a million and growing

Security firm Check Point says a Trojan horse campaign called Gooligan is striking 13,000 new Google accounts every day.

Joan E. Solsman Former Senior Reporter
Joan E. Solsman was CNET's senior media reporter, covering the intersection of entertainment and technology. She's reported from locations spanning from Disneyland to Serbian refugee camps, and she previously wrote for Dow Jones Newswires and The Wall Street Journal. She bikes to get almost everywhere and has been doored only once.
Expertise Streaming video, film, television and music; virtual, augmented and mixed reality; deep fakes and synthetic media; content moderation and misinformation online Credentials
  • Three Folio Eddie award wins: 2018 science & technology writing (Cartoon bunnies are hacking your brain), 2021 analysis (Deepfakes' election threat isn't what you'd think) and 2022 culture article (Apple's CODA Takes You Into an Inner World of Sign)
Richard Nieva Former senior reporter
Richard Nieva was a senior reporter for CNET News, focusing on Google and Yahoo. He previously worked for PandoDaily and Fortune Magazine, and his writing has appeared in The New York Times, on CNNMoney.com and on CJR.org.
Joan E. Solsman
Richard Nieva
2 min read
Watch this: Over a million Google accounts compromised by malware

More than a million Google accounts have been hit by malicious software, a security firm said on Wednesday.

Check Point said in a blog post that the attack campaign, known as Gooligan, is expanding to an additional 13,000 devices a day. It's malware that infects devices and steals their authentication tokens to breach data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive and other programs.

The malware attack is said to be the biggest single theft of Google accounts on record, according to Forbes. But the reason for the attack may not be what you'd expect. It's not to grab personal information from the accounts of Google users. Instead, it's to force them to download apps that are part of an advertising fraud scheme that makes up to $320,000 a month, Michael Shaulov, head of mobile and cloud security at Check Point, told Forbes.

Google responded to a request for comment with a link to its blog post about the attack. In the post, Google said it has found no evidence that Gooligan has accessed user data or that specific groups of people have been targeted. "The motivation...is to promote apps, not steal information," Google said.

The episode comes at a time when cyber attacks have been a high profile problem, hitting everyone from internet giants to the Democratic National Committee. In September, Yahoo suffered what is believed to be the biggest cyber attack in history, in which hackers swiped information from more than half a billion accounts. And in July, the White House said it believed Russia was behind hacks of the DNC.

Gooligan belongs to a family of malware called Ghost Push. It features a Trojan horse type of attack, in which the malicious software poses as legitimate apps for Android smartphones and tablets. Names of the malicious apps include StopWatch, Perfect Cleaner and WiFi Enhancer, according to The Wall Street Journal. Once installed, these apps automatically install other apps, some of which can steal usernames and passwords to post fake reviews.

Those downloads and reviews apparently feed into the hackers' ad fraud scheme. The hackers have run ads in those forcibly downloaded apps, so every click or download helps the hackers make money, Forbes reported.

Check Point said Gooligan is a variant of an Android malware campaign found by researchers in the SnapPea app last year.

The Gooligan apps come from third-party app stores or websites, instead of the Google Play store, where the company has more authorization over apps. But Check Point said some apps that Gooligan downloads without permission can be found on the Play store.

Google said it has removed those apps from the Play store.

People who are worried that their Google accounts may be compromised can consult the Check Point website.

First published November 30 at 8:47 a.m. PT.
Update, 9:37 and 10:57 a.m. PT: Adds comment from Google and more information throughout.